SOUND4 Impact/Pulse/First/Eco Conditional Command Injection Vulnerability in traceroute.php

A conditional command injection vulnerability has been identified in SOUND4 IMPACT, FIRST, PULSE, and ECO products, specifically in versions through 2.x. This vulnerability allows local authenticated users to create malicious files in the /tmp directory. Unauthenticated attackers can then execute commands by sending an HTTP POST request to the traceroute.php script, which activates the malicious file and removes it after execution.

Impact

Exploitation of this vulnerability could lead to unauthorized command execution on the affected system.

Reproduction

To reproduce this vulnerability, a local authenticated user can create a file in the /tmp directory with a .traceroute.pid extension, containing malicious commands. After the file is created, an external unauthenticated attacker can send a POST request to the traceroute.php script, which will execute the commands from the malicious file. The executed commands can include anything that the web server user has permission to run, such as accessing sensitive files or executing scripts that could compromise the system.